A Survey on Anomaly Ditection
by Akira Imada (December 2004)
Anomaly Detection in General --- Artificial Immune System Approach
The bellow categorized in this section of this page, are the works done
by Dasgupta's group. Starting from the latest one at this moment, to
the works by the group back in 1990's.
The reason I chose these works is the target to be classified into
anomaly or "no-self" is the general real-valued n-dimensional space,
not specific like, internet-trafic-records, data-from-detail-end,
or something like that.
- Detection of Binary Encoded Anomaly
Binary (When my interest is on "A-needle-in-a-haystack")
- [6]
F. Esponda, S. Forrest, and P. Helman (2004)
"A formal framework for positive and negative detection."
IEEE Transactions on Systems, Man, and Cybernetics 34:1 pp. 357-373.
A matching rule "r-chunk" is proposed
-
[15]
Ayara, M., J. Timmis, R. D. Lemos, L. N. D. Castro, and R. Duncan (2002)
"Negative Selection: How to Generate Detectors."
Proceedings of 1st International Conference on Artificial Immune Systems (ICARIS)
pp. 89--98.
- Clonal Selection
- Positive Selection
-
[4] Gonzalez, F., D. Dasgupta, J. Gomez, The Effect of Binary
Matching Rules in Negative Selection, GECCO-03, 2003
-
[6] Esponda, F., S. Forrest, P. Helman, A Formal Framework
for Positive and Negative Detection Scheme, IEEE
Transaction on Systems, Man, and Cybernetics, 2003
-
[11] Ceong, H. T., et al, Complementary Dual Detectors for
Effective Classification, ICARIS-03, 2003
-
[13] Kim, J., et al, An evaluation of negative selection in an
artificial immune system for network intrusion detection, in
Proceedings Genetic Evolutionary Computation
Conference, San Francisco, 2001
-
[15] Ayara, M., J. Timmis, R. de Lemos, L. de Castro, and R.
Duncan, Negative Selection: How to Generate Detectors,
1st ICARIS, 2002
- Negative Selection
What we should specially note in algorithms using negative selection is
only the negative (or normal) training data are needed as Dasgupta et all wrote in
-
Dasgupta, et al (1899) "An Anomaly Detection Algorithm
Inspired by the Immune System."
(Dasgupta et al. Eds), Artificial Immune System and Their Application
Dasgupta's group in Memphis US gave us an excellent series of systematic proposal
every year of a detector
to detect "non-self" in the continuous multi-dimensional Eucledian space.
The following a couple of papers are by Dasgupta's group from newer to older ones.
-
Z. Ji and D. Dasgupata (2004)
"Augmented Negative Selection Algorithm with Variable-Coverage Detectors."
Proceedings of the Congress on Evolutionary Computation
As authors denote, Negative selection in this series of papers are very simple
in the sense that
"The inspiration of negative selection, or negative detection, came from the
T cell development process in the thymus. If a T cell
recognizes self cells, it is eliminated before deployment
for immune functionality. In an analogous manner,
the negative selection algorithm generates the detector set
by eliminating any detector candidates that match self
samples. It is thus used as an anomaly detection
mechanism with the advantage that only the negative (or 'normal')
training data are needed.
Then authors proposed two algorithms: one is to generate detectors
of constant sized and the other variable sized sperers. (See my article
"Hints for Implementations".
Immuno-fuzzy Approach
Fuzzy Rules not based on Immune System but Evolved by Genetic Algorithm
-
J. Gomez and D. Dasgupta
"Evolving Fuzzy Classifiers for Intrusion Detection"
Authors wrote:
"proposes a technique to generate
good fuzzy classifiers using genetic algorithms that can detect
anomalies ... The main idea is to
evolve two rules, one for the normal class and other for the
abnormal class ..."
And their algorithm is in
Also the detailed algorithm seems to be in
-
J. Gomez and D. Dasgupta (2002)
"Using Competitive Operators and a Local Selection Scheme in Genetic Search."
Proceedings (Late-Breaking) of the Genetic and Evolutionary Computation Conference,
pp. 193-200.
But I have not succeeded in getting the paper via Internet.
Messy-GA Approach
Yet Another Intrusion Detection --- Data Mining Approach
Anomaly Detection in Particular ---
Network Intrusion Detection --- Proposals in a more Concrete Way